| Postfix Integrated Solution | ||
|---|---|---|
| <<< Previous | Postfix + OpenLDAP (Debian) 已完成 2004-9-28 | Next >>> |
創建域郵件存儲目錄
mkdir /var/mail/example.net chown postfix /var/mail/example.net |
配置 Postfix + TLS + LDAP
基本配置
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h myhostname = mail.example.net mydomain = example.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases #mydestination = debian, example.net, localhost.localdomain, localhost mydestination = $myhostname, $mydomain, $transport_maps #relayhost = ISP SMTP #LAN -> WAN mynetworks = 127.0.0.0/8 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + #================== BASE =================== debug_peer_level = 2 smtpd_tls_loglevel=2 disable_vrfy_command = yes local_recipient_maps = transport_maps = hash:/etc/postfix/transport #=================== LDAP ==================== local_transport = virtual virtual_transport = virtual virtual_mailbox_base = /var/mail virtual_alias_maps = ldap:aliases #virtual_alias_domains = ldap:aliases virtual_mailbox_maps = ldap:mailbox #virtual_mailbox_domains = ldap:mailbox virtual_uid_maps = static:105 virtual_gid_maps = static:109 #virtual_minimum_uid = 500 virtual_mailbox_limit = 0 virtual_maildir_limit_message = "The user you're trying to reach is over quota." virtual_mailbox_limit_maps = ldap:quota virtual_mailbox_limit_override = yes virtual_mailbox_limit_inbox = yes #virtual_mailbox_size_limit = 1024000000 virtual_maildir_extended = yes virtual_create_maildirsize = yes |
transport
建議使用hash表 [1]
debian:/etc/postfix# vi transport example.net virtual: debian:/etc/postfix# postmap transport |
這裡我使用了virtual方式投遞,其它投遞方式還有maildrop:,local:
當然,為了方便管理有時需要使用ldap,配置的方法是:
## Transport transport_server_host = localhost transport_search_base = ou=postfix,dc=example,dc=net transport_query_filter = (%s) (objectClass=postfixVirtualDomain)) transport_result_attribute = transport #or transport_result_attribute = o transport_scope = one transport_cache = yes transport_bind = yes transport_bind_dn = cn=admin,dc=example,dc=net transport_bind_pw = chen transport_maps = ldap:transport mydestination = domaine.tld, host.domain.tld, \ localhost, $transport_maps |
virtual_alias_maps[2]
# ldap:aliases, ldapsource here tell postfix the information while search # Alias instead of using hash file for lookup :-) aliases_server_host = localhost aliases_server_port = 389 aliases_bind = yes aliases_bind_dn = cn=admin,dc=example,dc=net aliases_bind_pw = chen aliases_search_base = ou=postfix,dc=example,dc=net aliases_query_filter = ((objectClass=postfixAccount)(mail=%s))(accountStatus=true)) aliases_result_attribute = maildrop aliases_bind = yes aliases_cache = no aliases_version=3 aliases_debuglevel=0 |
virtual_mailbox_maps
# ldap:accounts, ldapsource here tell postfix about VirtualAccount infor- # mation while doing Account ldap lookup mailbox_server_host = localhost mailbox_server_port = 389 mailbox_bind = yes mailbox_bind_dn = cn=admin,dc=example,dc=net mailbox_bind_pw = chen mailbox_search_base = ou=postfix,dc=example,dc=net mailbox_query_filter = ((mail=%s)(objectClass=postfixAccount))(|(AccountStatus=true)(accountStatus=enable))) mailbox_result_attribute = mailbox mailbox_version=3 mailbox_debuglevel=0 |
virtual_mailbox_limit_maps
quota_server_host = localhost quota_bind = yes quota_bind_dn = cn=admin,dc=example,dc=net quota_bind_pw = chen quota_search_base = ou=postfix,dc=example,dc=net quota_query_filter = ((objectClass=postfixAccount)(mail=%s))(AccountStatus=TRUE)) quota_result_attribute = quota quota_cache = yes quota_version=3 quota_debuglevel=0 |
sasl
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated permit_auth_destination reject #smtpd_sasl_local_domain = $mydomain #smtpd_sasl_local_domain = $myhostname smtpd_sasl_local_domain = smtpd_client_restrictions = permit_sasl_authenticated #smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_recipient_domain,reject_non_fqdn_recipient,check_relay_domains |
TLS/SSL
#TLS smtp_use_tls = yes smtpd_use_tls = yes #smtpd_tls_auth_only = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = $config_directory/ssl/post.pem smtpd_tls_cert_file = $config_directory/ssl/post.pem smtpd_tls_CAfile = $config_directory/ssl/post.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom |
生成證書 [3]
smtp-amavis
content_filter = smtp-amavis:[127.0.0.1]:10024
Example 4. master.cf
debian:/etc/postfix# cat master.cf
#
# Postfix master process configuration file. Each logical line
# describes how a Postfix daemon program should be run.
#
# A logical line starts with non-whitespace, non-comment text.
# Empty lines and whitespace-only lines are ignored, as are comment
# lines whose first non-whitespace character is a `#'.
# A line that starts with whitespace continues a logical line.
#
# The fields that make up each line are described below. A "-" field
# value requests that a default value be used for that field.
#
# Service: any name that is valid for the specified transport type
# (the next field). With INET transports, a service is specified as
# host:port. The host part (and colon) may be omitted. Either host
# or port may be given in symbolic form or in numeric form. Examples
# for the SMTP server: localhost:smtp receives mail via the loopback
# interface only; 10025 receives mail on port 10025.
#
# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
# sockets, "fifo" for named pipes.
#
# Private: whether or not access is restricted to the mail system.
# Default is private service. Internet (inet) sockets can't be private.
#
# Unprivileged: whether the service runs with root privileges or as
# the owner of the Postfix system (the owner name is controlled by the
# mail_owner configuration variable in the main.cf file). Only the
# pipe, virtual and local delivery daemons require privileges.
#
# Chroot: whether or not the service runs chrooted to the mail queue
# directory (pathname is controlled by the queue_directory configuration
# variable in the main.cf file). Presently, all Postfix daemons can run
# chrooted, except for the pipe, virtual and local delivery daemons.
# The proxymap server can run chrooted, but doing so defeats most of
# the purpose of having that service in the first place.
# The files in the examples/chroot-setup subdirectory describe how
# to set up a Postfix chroot environment for your type of machine.
#
# Wakeup time: automatically wake up the named service after the
# specified number of seconds. A ? at the end of the wakeup time
# field requests that wake up events be sent only to services that
# are actually being used. Specify 0 for no wakeup. Presently, only
# the pickup, queue manager and flush daemons need a wakeup timer.
#
# Max procs: the maximum number of processes that may execute this
# service simultaneously. Default is to use a globally configurable
# limit (the default_process_limit configuration parameter in main.cf).
# Specify 0 for no process count limit.
#
# Command + args: the command to be executed. The command name is
# relative to the Postfix program directory (pathname is controlled by
# the daemon_directory configuration variable). Adding one or more
# -v options turns on verbose logging for that service; adding a -D
# option enables symbolic debugging (see the debugger_command variable
# in the main.cf configuration file). See individual command man pages
# for specific command-line options, if any.
#
# General main.cf options can be overridden for specific services.
# To override one or more main.cf options, specify them as arguments
# below, preceding each option by "-o". There must be no whitespace
# in the option itself (separate multiple values for an option by
# commas).
#
# In order to use the "uucp" message tranport below, set up entries
# in the transport table.
#
# In order to use the "cyrus" message transport below, configure it
# in main.cf as the mailbox_transport.
#
# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
#
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
# only used by postfix-tls
#tlsmgr fifo - - n 300 1 tlsmgr
#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200s
-o smtp_never_send_ehlo=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
|
Example 5. main.cf
debian:/etc/postfix# cat main.cf # See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h myhostname = mail.example.net mydomain = example.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases #mydestination = debian, example.net, localhost.localdomain, localhost mydestination = $myhostname, $mydomain, $transport_maps #relayhost = ISP SMTP #LAN -> WAN mynetworks = 127.0.0.0/8 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + #================== BASE =================== debug_peer_level = 2 smtpd_tls_loglevel=2 disable_vrfy_command = yes local_recipient_maps = transport_maps = hash:/etc/postfix/transport #=================== LDAP ==================== local_transport = virtual virtual_transport = virtual virtual_mailbox_base = /var/mail virtual_alias_maps = ldap:aliases #virtual_alias_domains = ldap:aliases virtual_mailbox_maps = ldap:mailbox #virtual_mailbox_domains = ldap:mailbox virtual_uid_maps = static:105 virtual_gid_maps = static:109 #virtual_minimum_uid = 500 virtual_mailbox_limit = 0 virtual_maildir_limit_message = "The user you're trying to reach is over quota." virtual_mailbox_limit_maps = ldap:quota virtual_mailbox_limit_override = yes virtual_mailbox_limit_inbox = yes #virtual_mailbox_size_limit = 1024000000 virtual_maildir_extended = yes virtual_create_maildirsize = yes # ldap:aliases, ldapsource here tell postfix the information while search # Alias instead of using hash file for lookup :-) aliases_server_host = localhost aliases_server_port = 389 aliases_bind = yes aliases_bind_dn = cn=admin,dc=example,dc=net aliases_bind_pw = chen aliases_search_base = ou=postfix,dc=example,dc=net aliases_query_filter = ((objectClass=postfixAccount)(mail=%s))(accountStatus=true)) #aliases_result_attribute = maildrop aliases_result_attribute = maildrop aliases_bind = yes aliases_cache = no aliases_version=3 aliases_debuglevel=0 # ldap:accounts, ldapsource here tell postfix about VirtualAccount infor- # mation while doing Account ldap lookup mailbox_server_host = localhost mailbox_server_port = 389 mailbox_bind = yes mailbox_bind_dn = cn=admin,dc=example,dc=net mailbox_bind_pw = chen mailbox_search_base = ou=postfix,dc=example,dc=net mailbox_query_filter = ((mail=%s)(objectClass=postfixAccount))(|(AccountStatus=true)(accountStatus=enable))) #mailbox_query_filter = (mail=%s) mailbox_result_attribute = mailbox mailbox_version=3 mailbox_debuglevel=0 quota_server_host = localhost quota_bind = yes quota_bind_dn = cn=admin,dc=example,dc=net quota_bind_pw = chen quota_search_base = ou=postfix,dc=example,dc=net quota_query_filter = ((objectClass=postfixAccount)(mail=%s))(AccountStatus=TRUE)) quota_result_attribute = quota quota_cache = yes quota_version=3 quota_debuglevel=0 #====== SASL ================ smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated permit_auth_destination reject #smtpd_sasl_local_domain = $mydomain #smtpd_sasl_local_domain = $myhostname smtpd_sasl_local_domain = smtpd_client_restrictions = permit_sasl_authenticated #smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unknown_recipient_domain,reject_non_fqdn_recipient,check_relay_domains #unknown_local_recipient_reject_code = 450 #smtp_use_tls = yes #smtpd_use_tls = yes ##smtpd_tls_auth_only = yes #smtpd_tls_loglevel = 3 #smtpd_tls_received_header = yes #smtpd_tls_session_cache_timeout = 600s #smtp_tls_note_starttls_offer = yes #smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key #smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt #smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem # tls config #smtp_use_tls = yes #smtpd_use_tls = yes #smtp_tls_note_starttls_offer = yes #smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem #smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem #smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem #smtpd_tls_loglevel = 1 #smtpd_tls_received_header = yes #smtpd_tls_session_cache_timeout = 3600s #tls_random_source = dev:/dev/urandom #TLS smtp_use_tls = yes smtpd_use_tls = yes #smtpd_tls_auth_only = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = $config_directory/ssl/post.pem smtpd_tls_cert_file = $config_directory/ssl/post.pem smtpd_tls_CAfile = $config_directory/ssl/post.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom content_filter = smtp-amavis:[127.0.0.1]:10024 #mime_header_checks = pcre:/etc/postfix/body_checks |
| [1] |
| |
| [2] | virtual_maps已經不再使用,新的參數是virtual_alias_maps | |
| [3] |
|
| <<< Previous | Home | Next >>> |
| SASL SMTP認證 | Up | POP3,IMAP |